Skip to content

Commit

Permalink
Fixing an issue with invalid API Keys
Browse files Browse the repository at this point in the history
  • Loading branch information
joanbono committed Mar 4, 2023
1 parent 553ff4c commit dcf4367
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 7 deletions.
24 changes: 17 additions & 7 deletions checks.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@ package main
import (
"crypto/tls"
"fmt"
"os"
"regexp"

"github.com/fatih/color"
"github.com/monaco-io/request"
Expand All @@ -15,6 +17,14 @@ var red = color.New(color.FgRed)
var green = color.New(color.FgGreen)
var cyan = color.New(color.FgCyan)

func validateGoogleMapsApiKey(apiKey string) {
match, _ := regexp.MatchString(`AIza[0-9A-Za-z\-_]{35}`, apiKey)
if !match || len(apiKey) != 39 {
fmt.Printf("🔑 %s is not a valid Google Maps API key.\n", yellow.Sprintf(apiKey))
os.Exit(0)
}
}

func ApiChecks(api string, poc bool) {
fmt.Printf("ℹ️ Performing checks for %v\n", yellow.Sprintf(api))

Expand Down Expand Up @@ -57,10 +67,10 @@ func CustomSearchAPI(api string, poc bool) {

resp := c.Send()
value := gjson.Get(resp.String(), "error.status")
if resp.Code() == 403 && value.String() == "PERMISSION_DENIED" {
fmt.Printf("%v\n", green.Sprintf("✅ Not vulnerable to DirectionsAPI"))
if (resp.Code() == 403 && value.String() == "PERMISSION_DENIED") || (resp.Code() == 400 && value.String() == "INVALID_ARGUMENT") {
fmt.Printf("%v\n", green.Sprintf("✅ Not vulnerable to CustomSearchAPI"))
} else {
fmt.Printf("%v\n", red.Sprintf("❌ Vulnerable to DirectionsAPI"))
fmt.Printf("%v\n", red.Sprintf("❌ Vulnerable to CustomSearchAPI"))
if poc {
fmt.Printf("%v %s\n\n", yellow.Sprintf("⚠️ PoC URL:"), url)
}
Expand Down Expand Up @@ -331,7 +341,7 @@ func NearestRoadsAPI(api string, poc bool) {
resp := c.Send()
value := gjson.Get(resp.String(), "error.status")

if resp.Code() == 403 && value.String() == "PERMISSION_DENIED" {
if (resp.Code() == 403 && value.String() == "PERMISSION_DENIED") || (resp.Code() == 400 && value.String() == "INVALID_ARGUMENT") {
fmt.Printf("%v\n", green.Sprintf("✅ Not vulnerable to NearestRoadsAPI"))
} else {
fmt.Printf("%v\n", red.Sprintf("❌ Vulnerable to NearestRoadsAPI"))
Expand Down Expand Up @@ -361,7 +371,7 @@ func GeolocationAPI(api string, poc bool) {
resp := c.Send()
value := gjson.Get(resp.String(), "error.status")

if resp.Code() == 403 && value.String() == "PERMISSION_DENIED" {
if (resp.Code() == 403 && value.String() == "PERMISSION_DENIED") || (resp.Code() == 400 && value.String() == "INVALID_ARGUMENT") {
fmt.Printf("%v\n", green.Sprintf("✅ Not vulnerable to GeolocationAPI"))
} else {
fmt.Printf("%v\n", red.Sprintf("❌ Vulnerable to GeolocationAPI"))
Expand All @@ -386,7 +396,7 @@ func RouteToTraveledAPI(api string, poc bool) {

resp := c.Send()
value := gjson.Get(resp.String(), "error.status")
if resp.Code() == 403 && value.String() == "PERMISSION_DENIED" {
if (resp.Code() == 403 && value.String() == "PERMISSION_DENIED") || (resp.Code() == 400 && value.String() == "INVALID_ARGUMENT") {
fmt.Printf("%v\n", green.Sprintf("✅ Not vulnerable to RouteToTraveledAPI"))
} else {
fmt.Printf("%v\n", red.Sprintf("❌ Vulnerable to RouteToTraveledAPI"))
Expand All @@ -410,7 +420,7 @@ func SpeedLimitRoadsAPI(api string, poc bool) {
resp := c.Send()
value := gjson.Get(resp.String(), "error.status")

if resp.Code() == 403 && value.String() == "PERMISSION_DENIED" {
if (resp.Code() == 403 && value.String() == "PERMISSION_DENIED") || (resp.Code() == 400 && value.String() == "INVALID_ARGUMENT") {
fmt.Printf("%v\n", green.Sprintf("✅ Not vulnerable to SpeedLimitRoadsAPI"))
} else {
fmt.Printf("%v\n", red.Sprintf("❌ Vulnerable to SpeedLimitRoadsAPI"))
Expand Down
1 change: 1 addition & 0 deletions main.go
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ func main() {
flag.PrintDefaults()
return
} else {
validateGoogleMapsApiKey(apiFlag)
ApiChecks(apiFlag, pocFlag)
}
}

0 comments on commit dcf4367

Please sign in to comment.